Version 1.3 of the Disable REST API plugin is out now, to support the recent updates to the REST API introduced in WordPress 4.7.
Previous versions of the plugin accessed the available filters which let developers to turn the REST API off like a light switch. These filters have been deprecated in 4.7, which means that while they exist they no longer actually disable the API.
This shift makes a lot of sense from the core team’s point of view. Editing tools in the admin area are going to plan to use the REST API in the future, to improve the admin area experience for editing content. To that end, they don’t want something which easily disables the content endpoints of the REST API.
The new recommendation is to raise an authentication error if you do not wish for endpoints to be accessible, so that’s exactly what the plugin does as of version 1.3. If you are logged into a website as a user, the endpoints will all function as designed. However, if you are an unauthenticated anonymous user who tries to access endpoints of the API (even ones that are typically designated as publicly accessible) you will be greeted with an authentication error when this plugin is installed and activated.
WordPress versions 4.4x, 4.5.x, and 4.6.x will all continue to use the `rest_enabled` filters; but please don’t use this as an excuse to not patch your website. I still strongly recommend everyone keep their websites up to date and running the latest version of core whenever possible.
I will gauging interest in an update to the plugin which would allow administrators to further tighten up access to the REST API based on user role: it is very possible that websites that have basic Subscriber users or custom low-permission users (like websites running WooCommerce, BuddyPress, or numerous other custom applications with user login areas) will still want to disable the REST API for some reason, and currently any site that allows these types of users could still easily be accessed by one of those users.